Authored by Scott Hall
On March 15, 2017, Senator Edward Markey (D-Mass.) and Representative Peter Welch (D-Vt.) introduced federal legislation entitled the Drone Privacy and Transparency Act of 2017.1 The proposed legislation seeks to address growing concerns regarding personal privacy violations anticipated by (or, perhaps, already resulting from) the continuing increase of unmanned aircraft systems (“UAS” or “drones”) in the nation’s skies. To that end, the proposed legislation would require every person or entity seeking to use a drone for commercial purposes to provide certain information about where, when, and for what purposes the drone will be flown, and whether it will collect, sell, or otherwise use personal information about any individuals. The legislation would also require the FAA to publicly disclose this information on the Internet. Additionally, the legislation would ban any use of drones by law enforcement personnel without a warrant.
The proposed legislation purports to be a necessary response to the threat of “invasive and pervasive” drone surveillance that is predicted to occur as commercial drone use in the U.S. continues to expand.2 However, while certain privacy concerns based on the ever-increasing use and rapidly evolving technological capabilities of drones may be warranted, the proposed legislation appears to be both underinclusive and overbroad in its attempt to address potential violations of personal privacy. For example, if enacted, the bill would impose additional pre-authorization requirements on anyone seeking approval to operate a drone, and would also require public disclosure of the time and location of planned drone operations, as well as details regarding the specific technical capabilities of the drone – regardless of the drone’s actual or intended operation. But, the bill does not specifically prohibit any particular type of drone operation or method of data collection as long as the required pre-authorization and disclosure requirements have been satisfied. Moreover, the bill explicitly does not apply to “model aircraft” (i.e., drones flown for hobby purposes), which are generally understood to be outside the Federal Aviation Administration’s scope of authority. Yet, hobby drones are just as capable of violating personal privacy as drones used for commercial purposes. In fact, hobby drones are frequently involved in national news stories regarding privacy violations (such as drones hovering near bedroom windows or over backyard pools), and have likely contributed more to the current public sentiment of fear and distrust underlying the proposed legislation than commercial drones.
Additionally, the proposed legislation would have the federal government wade into – and most likely preempt – areas of law typically left to the states, such as privacy, trespass, and state and local police power. In recent years, many states and localities have enacted drone-specific laws aimed at protecting privacy. Several states have also passed laws regulating law enforcement use of drones. The proposed federal legislation would likely preempt many of these state and local laws. Therefore, before granting such broad federal power over drone regulation, more thought should be given to whether, and in what contexts, states are better suited to decide what drone operations should or should not be permitted in their jurisdiction and how their local law enforcement agencies should be permitted to conduct their work (within constitutional limits). Indeed, given that hobby drones are generally not subject to FAA regulation, state drone legislation has become increasingly important. Thus, the potential preemption of state laws that may occur as a result of vesting the federal government with broad authority over issues like privacy and state police power may impair the ability of state and local governments to effectively address drone concerns specific to their locale.
In light of the many valuable current and anticipated applications of drone technology – which the bill explicitly recognizes – the preferred course of action may be to avoid forcing a federal “one-size-fits-all” privacy law on drones. Rather, it may be better for the federal government to continue to work cooperatively with states to define respective areas of state and federal responsibility over drones and to target particularized unlawful or undesirable conduct for specific regulation, while avoiding imposing more burdensome pre-authorization requirements on all drone operators, which could discourage or inhibit beneficial drone use and innovation.
The Drone Privacy And Transparency Act proposes three main methods to safeguard personal privacy threatened by drones: (1) required pre-authorization information statements about the intended use of the drone, including potential data collection and use; (2) public disclosure of information relating to the ownership, operation and capabilities of each drone authorized to operate in the national airspace; and (3) prohibition on law enforcement use of drones without a warrant, as well as required statements and policies to minimize collection of data outside the necessary scope of an investigation or warrant.
First, the bill proposes to implement additional procedures for anyone seeking authorization to operate a drone for non-hobby use. Specifically, the bill would prohibit the FAA from approving, issuing or awarding any license, certificate or other grant of authority to operate a drone in the national airspace unless the person seeking such authorization or approval provides a “data collection statement” detailing, among other things: (1) the identity of individuals or entities that will use the drone, (2) the specific locations and time period in which the drone will operate, and (3) what types of information or data about individuals or groups will be collected by the drone, including (a) how such data will be used or sold, (b) how information unrelated to the specified use will be minimized, (c) how long any such data will be retained, and (d) how such data will be destroyed. The data collection statement must also identify the possible impact of the drone on individual privacy, the specific steps that will be taken to mitigate any such impact, and contact information for reporting complaints and/or requesting information related to the collection of personally identifiable data. The bill would allow individuals whose data has been collected to request and obtain such data, as well as to challenge the accuracy of that data and/or challenge the denial of access to the data.3
Second, the bill seeks to promote transparency of drone data collection by requiring the FAA to make publicly available, on the Internet, the names and contact information for each owner and operator of an authorized drone, the tail/identification number for each authorized drone, a description of the technical capabilities of each authorized drone (including cameras, thermal imaging, mobile phone interception, facial recognition, license plate reader, etc.), information detailing where, when and for what purpose each authorized drone will be operated, and the applicable data collection statement, data minimization statement, and applicable license, approval or grant of authority for each authorized drone. The bill would also require public disclosure of any data security breach with respect to information collected by a drone.
C. Restrictions On Law Enforcement Use Of Drones
Third, the bill seeks to address concerns over law enforcement use of drones by prohibiting a governmental entity (including any federal or state agency) from using drones for law enforcement or intelligence purposes without a warrant. Moreover, the bill would prohibit the FAA from authorizing any drone operation by a law enforcement agency (or its contractor or subcontractor) unless the agency submits a “data minimization statement.” The data minimization statement must detail the specific policies adopted by that agency to minimize the collection by a drone of information that is unrelated to the investigation of a crime under a warrant, as well as to require the destruction of information no longer relevant to such an investigation or an ongoing criminal proceeding. The bill would also require law enforcement agencies to describe their audit and oversight procedures with respect to ensuring that the agency’s drone operation is compliant with the submitted data collection statement and data minimization statement.
The proposed legislation purports to apply to every person or entity that currently uses, or that seeks to use, drones for any non-hobby purpose. Thus, the effects of the legislation would be significant given the substantial increase in the use of drones by businesses across numerous industries over the past few years. Of course, because of the variety of technology that can be employed by drones to conduct surveillance, including cameras for photographs or video recording, thermal imaging, GPS trackers, license-plate readers, facial recognition software and more, public concern over potential violations of privacy and misuse of personal information is certainly valid. However, careful consideration is warranted before passing the proposed legislation given that its actual application is likely to have far-reaching effects that go beyond merely protecting privacy to potentially stifling desirable drone operation and innovation.
In fact, the bill’s prohibition on any license, approval or other authorization to operate a drone absent compliance with the required data collection statement constitutes a sharp departure from the FAA’s recent direction of reducing regulatory hurdles to drone operation. Just last summer, for example, the FAA adopted uniform rules for the operation of small drones (14 C.F.R. Part 107), which allow for the operation of drones for commercial or non-hobby purposes without a specific certificate of authorization or waiver from the FAA, as long as drone operators abide by certain rules and restrictions, including operating only during daylight hours, abiding by certain speed and weight limits, and having an operator with a remote pilot certificate. This recent relaxing of formal regulatory approval for commercial drone operation has been widely applauded by the drone industry. The proposed privacy legislation may therefore be seen as a step backwards for the industry, which, despite recent progress, still suffers from heavy regulation and uncertainty. Indeed, many blame the current regulatory restrictions on drones as the reason many drone companies have chosen to conduct research or operations in foreign countries that do not have such restrictions.4 Thus, while privacy concerns relating to drones need to be addressed, the proposed legislation’s focus on pre-authorization procedures and public disclosures, rather than specific misconduct, may adversely impact drone operations that raise no serious privacy concerns.
The proposed legislation would also raise new preemption issues and fresh ambiguity about the proper role of state and local governments in regulating drones. Indeed, the bill is in direct conflict with statements currently maintained on the FAA’s website regarding the proper role of state and local regulation of drones, which identify privacy and law enforcement operations, among other issues, as generally not being subject to federal regulation.5 Consistent with this position, the small drone rules adopted by the FAA last summer explicitly avoided privacy issues and warned drone operators that “state and local authorities may enact privacy-related laws specific to UAS operations.”6 To the extent the proposed legislation is viewed as a decision by Congress to legislate privacy issues for drones at the federal level, this departure from the previous federal-state division of authority could have wide-ranging impacts, particularly given that many states have already passed laws regulating various aspects of drone operation.
Although states differ in their approaches to privacy protection, several states have recently passed or revised laws to protect personal privacy against drone misuse. Some states, for example, have passed laws prohibiting the use of drones to commit voyeurism, stalking, or other surveillance in violation of an individual’s reasonable expectation of privacy. Other states, including California, have attempted to protect privacy by prohibiting, as trespass, the capture of images, sounds, or other data of a personal nature by drones over private property. Still other states prohibit surveillance or capture of images or data in specific locations, such as schools, prisons, or at public events. At least one state (Oklahoma) has even recently proposed legislation that would permit property owners to shoot down or otherwise destroy drones flying over their property or “where a reasonable expectation of privacy exists.” Thus, although there is still much work to be done to ensure a comprehensive legal framework sufficient to safeguard personal privacy against all potential drone intrusions, this area appears to be one in which states are actively involved and uniquely positioned to address the specific concerns and needs of their locale. It is therefore questionable whether a broad, federal privacy law that might preempt such state and local laws is the preferred course of action.
Additionally, many states have already passed laws regulating the use of drones by law enforcement personnel. The proposed legislation, however, purports to apply to all federal and state law enforcement agencies and imposes a blanket prohibition on any drone use not authorized by a warrant. While it makes sense to require a warrant to use certain drone technology, such as thermal imaging, facial recognition software, or GPS tracking, there is less justification for prohibiting use of drones by law enforcement personnel for simple aerial monitoring or the capture of images or video available to any member of the public. In fact, the U.S. Supreme Court has specifically held that any place that could theoretically be viewed by a member of the public, including from an aircraft, can also be observed by a government agency without constituting a violation of the Fourth Amendment.7 Of course, the Court left open the question of when any specific instance of observation might constitute a violation of privacy, but suggested that it should be addressed on a case by case basis, as opposed to the uniform ban contemplated by the proposed legislation. To be sure, misuse of drones by law enforcement is certainly cause for concern. But state and local governments have typically been given authority to regulate their own police power within constitutional limits, and nothing suggests that this should change merely because the methods of surveillance continue to change.
Notably, the proposed legislation explicitly does not apply to “model aircraft,” which includes small drones that are flown strictly for
obby or recreation purposes, as opposed to commercial use. Thus, although the legislation would monitor and disclose the collection, sale or other commercial use of personal information by drone operators, it does not cover activity such as stalking, voyeurism, or other surveillance in which drone operators collect private images, video, or other data for their own personal use. While large-scale collection and commercial exploitation of personal data is certainly one type of privacy harm that could be committed by drones, the instances of drones “peeping” in bedroom windows, hovering over swimming pools, or personally stalking or harassing individuals also constitute serious privacy concerns that are more likely to be committed by hobby drone users not covered by the proposed legislation.
It may therefore be preferable to allow state and local governments to continue to enact privacy-related legislation focused on specific unlawful or undesirable conduct that applies to both commercial and non-commercial drone operation. At the same time, certain existing federal and state laws that already regulate the maintenance and disclosure of personally identifiable information could be updated to explicitly apply to personal data collected by drone technology. This combination of federal and state protection to prohibit particularized, objectionable drone conduct, while also regulating the maintenance, use and disclosure of personal data, could be far more effective – and much less burdensome on those seeking to use drones for purposes other than data collection – than to require all drone operators to comply with burdensome pre-authorization and public disclosure requirements.
A few other issues in the proposed legislation are worth noting:
The bill specifically excepts from its coverage drones “operated for news-gathering activities protected by the First Amendment.” Although this is an important exception in principle, the ambiguity regarding what drone operation might properly be covered by this provision will undoubtedly raise difficulties in application.
The bill also makes any operation of a drone in violation of the statutory provisions unlawful, and vests enforcement power principally with Federal Trade Commission. It also permits civil actions by states (subject to notice to and coordination with the FTC) against violators that are deemed to have threatened or harmed the interests of residents of the state.
Notably, the bill also creates a private cause of action for any person injured by an act in violation of the statute and allows both injunctive relief and monetary damages, including the greater of actual monetary loss or $1,000 per violation. As discussed above, because the proposed legislation focuses on compliance with pre-authorization and public disclosure requirements – as opposed to any actual misuse of personal information – it is questionable whether this private right of action would be effective in terms of safeguarding privacy, or whether it would become simply another statute under which individuals seek monetary damages based solely on an individual’s or entity’s failure to comply with regulatory requirements.
Given the current technological landscape, protection of personal privacy and personally identifiable information has never been more important. But there are already various federal and state laws that govern how personal information may be collected, used and disclosed. Drones merely present a new method by which personal information and data may be collected. However, not all drones are, or will be, operated for the purpose of collecting personal information. Many individuals and businesses seek to operate drones to perform tasks related to precision agriculture, aerial photography, infrastructure monitoring, product delivery, search and rescue, disaster response, and many other beneficial services that do not involve the collection of individuals’ personal data or personally identifiable information. Rather than imposing additional regulatory hurdles on all drone users, it may be preferable to focus on regulating specific conduct or data collection and disclosure practices by those seeking to engage in such conduct. This may be most effectively accomplished by having the federal government share – rather than usurp – authority over drone privacy-related regulation. Caution should therefore be taken before enacting the proposed legislation, which would potentially nullify a substantial amount of state legislation already addressing drone impacts on personal privacy.
Ultimately, the proposed legislation, at least in its current form, may never become law. In fact, similar legislation was introduced in 2015 without success. However, the proposed legislation highlights important issues of privacy that should be considered and discussed as drone use and capabilities expand. The difficult task is finding the right balance between safeguarding individuals’ reasonable expectations of privacy while still fostering innovation and expansion of the many beneficial current and anticipated uses of drones. To the extent the bill’s purpose is to put the conversation regarding drones and privacy issues front and center, that mission will hopefully be accomplished. The public should be informed and aware of potential privacy concerns caused by drones and participate in legislative processes aimed at addressing those concerns. However, with regard to privacy protection, at least some of that legislation may be best handled at the state and local level. In any event, with the drone industry expected to continue its rapid growth for the foreseeable future, it is likely that public discussion and debate about drones and privacy has only just begun.
1. A copy of the proposed legislation is available at: https://www.markey.senate.gov/imo/media/doc/2017-03-14-DronePrivacy-Bill-text.pdf
2. The proposed legislation references estimates indicating that commercial drone sales may reach 2.7 million annually by 2020.
3. Although the bill only purports to require data collection statements for any drone approval or authorization as of the date of the enactment of bill, it nonetheless requires the FAA to publicly disclose information required in the data collection statement for every drone authorized to operate in the national airspace, including those operating pursuant to licenses or grants of authority awarded before the date of enactment. (See Sec. 339(a), (b)(1).) Thus, as a practical matter, the provisions of the bill would apply to all drones authorized to operate in the national airspace, whether approved before or after passage of the proposed legislation.
4. Although the proposed legislation does not discuss how its requirements would interact with the current regulatory framework, including the FAA’s small drone rules, the legislation purports to require compliance with its provisions for any certificate, license, “or other grant of authority” to operate a drone – including authority granted prior to enactment of the law – which presumably encompasses any authorization bestowed by Part 107, as well as the remote pilot certificate required for operation under that section.
5. December 7, 2015 Fact Sheet: State and Local Regulation of Unmanned Aircraft Systems (UAS).
6. The FAA’s decision not to address privacy issues in its small drone rules caused an uproar among many groups who hoped to see privacy regulation addressed by the FAA’s drone rules. In fact, following release of the FAA’s rule last year, the Electronic Privacy Information Center (“EPIC”) sued the FAA for failing to address privacy issues in its rules.
7. See Florida v. Riley, 488 U.S. 445, 455 (1989).